Five-year sentences for teens behind £29m London cyber-attack
The jailing of two teenagers for a devastating hack on Transport for London highlights the growing threat loose networks of young cyber-criminals pose to European critical infrastructure.
Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five years and six months in prison for crippling Transport for London (TfL) last year. The pair, who were 17 and 18 at the time of the August 2024 offence, breached the network by tricking a help desk worker into resetting a password for an employee they were impersonating.
The resulting 16-hour intrusion, which the hackers livestreamed online, compromised the personal data of up to 10 million customers. TfL was forced to disconnect its systems from the internet to halt the breach, leaving 148 technology systems inoperable and costing the transport authority £29 million.
The attack underscores the vulnerability of major European organisations to basic social engineering rather than complex code. Scattered Spider, the loose collective the pair belonged to, has been linked to attacks on retailers including Marks and Spencer and the Co-op. Arrests of youths connected to the group have also occurred in the US and Finland, signalling a borderless problem for Western businesses.
Both defendants presented profiles that are becoming familiar to law enforcement: isolated, computer-obsessed young men driven by online notoriety. Despite police seizing around £1 million in cryptocurrency from Flowers, the court heard the duo spent time searching the stolen Oyster card database for celebrity details.
Their histories revealed repeated failures to intervene before severe damage was done. Jubair had 22 previous convictions for hacking, fraud and harassment, including a Youth Rehabilitation Order for prior offences with the Lapsus$ group that targeted Nvidia and BT. Flowers had received a cease and desist order for minor cyber crime just months before the TfL attack.
Even after their arrests, both men were caught with contraband phones in prison while coordinating future attacks. Paul Foster, head of the National Cyber Crime Unit, said the case demonstrated how the online world exposes young people to criminal communities beyond their front door. However, cyber security analyst Allison Nixon warned that jail time alone would not deter others, arguing that policymakers must treat the phenomenon as a violent youth gang problem driven by a culture that idolises maximising victim harm.